IBM Delivers New Software to Advance Security Analysis

IBM announced a new software and analysis solution intended to provide a more efficient and accurate way to help organizations design, build and manage secure applications. The new software, based on enhancements to the IBM Rational AppScan line, consolidates software vulnerability analysis and reporting into a single view across the enterprise. Developers can now assess security threats across the entire software development lifecycle, enabling global development teams to more readily identify and test security exposures.

For example, the toolset can be employed to automate application security audits and source code scanning to ensure that the network and web-based applications are secure and compliant. This delivers improved accuracy of vulnerability identification and remediation, Patrick Vandenberg, manager of IBM Rational security marketing, tells 5 Minute Briefing. "AppScan identifies vulnerabilities in application and web application code that can allow attacks to compromise sensitive data."

As part of AppScan's new features, IBM Research provided string analysis, a software development capability that helps simplify the security testing process by automatically detecting and verifying which web application development input needs to be cleansed to remove security risks. This capability helps accelerate the accuracy and efficiency of security testing by the development community, regardless of their security expertise.

Web applications are often vulnerable due to a lack of built-in security. The latest release of AppScan is intended to address these vulnerabilities early on in the application development lifecycle. "AppScan is all about identifying vulnerabilities in the code that could be exploited to compromise sensitive data, which is a malicious act," says Vandenberg. "Step one is to find the vulnerabilities, which is followed by fixing the code to remove the vulnerability altogether. Then once the application is deployed that opportunity to exploit the application for malicious gain has been removed."

AppScan now incorporates hybrid analysis capabilities that will help improve vulnerability identification and remediation, IBM says. The hybrid analysis provides automated correlation of results from static code analysis and dynamic analysis to increase vulnerability identification in automated software. Automated correlation of results is initially available for Java.

Another new feature, hybrid analysis scanning, enables the simultaneous application of static code analysis and dynamic analysis testing to identify more vulnerabilities than were previously detectable by software. Provided as an extension to Rational AppScan Standard Edition, this supports JavaScript and provides scanning access to an area that was previously blind spots for organizations.

In addition, IBM announced support for federal security protocol, CAC/PKI, within its Rational Software portfolio. The CAC/PKI protocol enhances the ability of governments globally to prevent unauthorized access to physical and digital environments, which compromise the security of military and national initiatives. IBM provides a full range of services for the detailed design, development and implementation of smartcard/biometrics and CAC/PKI implementations as part of the efforts to deliver full software lifecycle support of CAC/PKI and other security protocols.